GNUTLS-SA-2008-1 question

Josh Bressers bressers at
Mon May 19 23:04:42 CEST 2008


My name is Josh Bressers and I am a member of the Red Hat Security Response

I just found out about GNUTLS-SA-2008-1 and was wondering if you could
clear something up for me.

The advisory states it's a denial of service, but from reading the
advisory, GNUTLS-SA-2008-1-1, it sounds like it should be an exploitable
buffer overflow, not just a denial-of-service.  Are you willing to share
your reasoning for calling this a DoS rather than an arbitrary code
execution flaw?

Also, would you be willing to share the reproducer for this flaw?  We are
interested in it for QA purposes.

I'm also wondering if you'd be willing to give the Vendor Security group a
heads up on issues such as this in the future.  You can find more details
about the group here:



More information about the Gnutls-devel mailing list